BEC stands for business email compromise, and it is now becoming one of the leading forms of attack besides ransomware. In an article recently read, 2.3 million dollars were stolen from the state of Wisconsin to help Donald Trump’s election.
According to their statement, they are victims of a Business Email Compromise phishing attack that altered invoices to direct payments to accounts controlled by the threat actor.
This is a portion of a paragraph of the article, and I could see how this could be a problem.
Let’s talk about who’s fault that is. It could be avoided by knowing who your invoice partners are, how they’re to be delivered, and when you’re expected to pay said invoices.
For example, I recently gained a new client for web hosting and will be looking to set up hopefully a recurring payment. I’m more than capable of running the charge, but if it can be ran on its own, that would be nice too. If I were to invoice the client, I’d be telling the client that it was going to be sent by Freshbooks to his registered address I had on file. For now though, I went ahead and used my access to the credit card portal to bill. He asked how it was going to appear on the statement, and I gave him two possibles as I thought I had changed it. I will be changing it in the not too distant future. I also asked about when to bill, and we have set pricing.If I’m able to get the charge billed automatically next time, I plan on doing that next time I bill them.
When we go to a restaurant, we expect to be billed by the chain at which we are at. Same for grocery stores or other establishments. Online however, its a bit different, because you can be billed by third party companies like Share it! which does credit card transactions for many different companies like the small business Station Playlist. It tells you how it is going to appear on your credit card statement to prevent fraud.
Invoicing should not tell you to wire money to a specific account, unless you have an agreement like that with the merchant. I’m sure BEC can be stopped right in its tracks, because I wouldn’t fall for that knowing that I don’t have a shipment due and I get a shipment email for example.
While there is no silver bullet for BEC attacks, organizations can take the following steps to reduce their risk:
- • Put strong procedures in place for reviewing and authorizing the payment or transfer of funds.
- • Monitor domain name registrations for look-alikes that could be used to send BEC emails.
- • Provide users with in-depth, focused training on how to recognize and report BEC scams and frequently test them to maintain vigilance.
- • Have a timely and efficient process in place to review suspicious emails, investigate threats, and mitigate attacks.
I’m not exactly sure how I can train for this, but I would tell my customers how they are to be billed, which companies are sending invoices, and even make sure they recognize the ways to pay without compromising their security. To read more about this emerging threat, please check out Phishlab’s article on this one: $2.3M Stolen from Wisconsin GOP via BEC Attack and let’s stay safe!
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.